Introduction
The UKs National Cyber Security Centre (NCSC) has issued an urgent warning about a critical authorization bypass vulnerability in Next.js [2], a popular React-based web development framework [2]. This vulnerability, identified as CVE-2025-29927 [2] [3] [4] [6], poses significant security risks by allowing unauthorized access to sensitive application resources.
Description
The vulnerability arises from improper handling of authentication [5], enabling attackers to exploit the system by injecting a specially crafted ‘x-middleware-subrequest’ HTTP header. This header can be misinterpreted as an internal request, allowing unauthorized access to restricted areas such as admin tools and dashboards [1], while bypassing middleware authentication checks. Active exploitation of this vulnerability has been reported, highlighting its severity. The vulnerability has been assigned a CVSS score of 9.1 [1], indicating a high severity level [1], and proof-of-concept exploits are readily available.
The vulnerability was reported to the Next.js maintainers in February and affects all versions of Next.js from 11.1.4 through 13.5.6 (unpatched) [2], all versions of 14.x before 14.2.25 [2], and all versions of 15.x before 15.2.3 [2]. Applications deployed using the ‘next start’ command with the output set to ‘standalone’ are particularly vulnerable, while those hosted on platforms like Vercel or exported as static sites are not affected. The only guaranteed fix is to upgrade to a non-vulnerable version [3].
The NCSC recommends that if immediate updating to a fixed version is not possible [2], users should implement temporary workarounds, such as blocking incoming requests containing the ‘x-middleware-subrequest’ header at the edge or proxy level using load balancers or reverse proxies. For Cloudflare users [3], enabling a Managed WAF rule can help block this attack, although caution is advised due to potential impacts on third-party authentication frameworks. Organizations are also advised to monitor logs for potential attacks and to upgrade to the patched versions: 15.2.3 or higher for Next.js 15.x, 14.2.25 or higher for 14.x, 13.5.9 or higher for 13.x, and 12.3.5 or higher for 12.x as soon as possible. The UpGuard platform can assist in detecting the vulnerability through a two-step verification process [1], and it has been identified across multiple companies within the S&P 500 [1]. Key takeaways include the importance of not trusting internal headers for authentication decisions [5], implementing multiple layers of security validation [5], and regularly auditing middleware for proper request verification to mitigate risks associated with this vulnerability.
Conclusion
The CVE-2025-29927 vulnerability in Next.js underscores the critical need for robust security practices in web development. Organizations must prioritize upgrading to secure versions and consider implementing temporary workarounds to mitigate immediate risks. This incident highlights the importance of continuous monitoring, regular audits [5], and the adoption of comprehensive security measures to protect against evolving threats. Future implications include the necessity for developers to remain vigilant and proactive in addressing potential vulnerabilities to safeguard sensitive information and maintain the integrity of web applications.
References
[1] https://www.upguard.com/blog/critical-middleware-bypass-vulnerability-in-next-js-cve-2025-29927
[2] https://www.infosecurity-magazine.com/news/ncsc-urges-patch-nextjs-flaw/
[3] https://4imag.com/next-js-middleware-authorization-bypass-vulnerability-are-you-vulnerable/
[4] https://appcheck-ng.com/known-actively-exploited-vulnerabilities-round-up-21-03-25-27-03-25/
[5] https://techtalkpine.com/2025/03/demo-for-cve-2025-29927-nextjs/
[6] https://www.scworld.com/brief/active-exploitation-of-sitecore-next-js-draytek-vulnerabilities-ongoing
